One of the best articles I’ve seen on application security analysis. Of course, some of the problem with current approaches are remedied when one takes a binary, SaaS approach and issues are scrubbed for false positives by trained security experts–in other words, the Veracode approach.